oss-sec mailing list archives
CVE-2023-4809: FreeBSD pf bypass when using IPv6
From: Enrico Bassetti <bassetti () di uniroma1 it>
Date: Fri, 8 Sep 2023 19:48:21 +0200
Hello *,A few months ago, as part of our investigations on IPv6 security in the NetSecurityLab @ Sapienza University, we discovered a vulnerability that allows attackers to bypass rules in pf-based IPv6 firewalls in particular conditions.
Vulnerability (TL;DR) ==============A FreeBSD with `pf` as firewall for IPv6 traffic and `scrub` enabled to reassemble IPv6 fragments is vulnerable to an attack that uses a crafted packet posing as IPv6 "atomic" fragment to bypass the rules. After the fragment is matched against some firewall rules (but not all!), it is then "corrected" and forwarded to the destination (if no "deny" rule is matched).
References ============== This vulnerability has been assigned the ID CVE-2023-4809. The FreeBSD advisory is at https://www.freebsd.org/security/advisories/FreeBSD-SA-23:10.pf.asc We wrote a description with an example at: https://www.enricobassetti.it/2023/09/cve-2023-4809-freebsd-pf-bypass-when-using-ipv6/ Solution ==============The solution is to update FreeBSD to the latest version. All FreeBSD versions up to (but not including) 13.2-STABLE, 13.2-RELEASE-p3, 12.4-STABLE, and 12.4-RELEASE-p5 are affected.
Best regards, Enrico Bassetti
Current thread:
- CVE-2023-4809: FreeBSD pf bypass when using IPv6 Enrico Bassetti (Sep 08)
- Re: CVE-2023-4809: FreeBSD pf bypass when using IPv6 Alexander Bluhm (Sep 08)
- Re: CVE-2023-4809: FreeBSD pf bypass when using IPv6 Demi Marie Obenour (Sep 08)
- Re: CVE-2023-4809: FreeBSD pf bypass when using IPv6 Alexander Bluhm (Sep 08)